Who… What… Where…

All below examples are based on establishing a connection to a remote computer and performing a WMI query.

Computer Disk Information

Retrieves information about all physical disks (distinguished by the numerical value 3), and displays ins volume identifier (drive letter) and free vs used space.

Const HARD_DISK = 3

Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & “COMPUTER” & “\root\cimv2″)

Set colDisks = objWMIService.ExecQuery (“Select * from Win32_LogicalDisk Where DriveType = ” & HARD_DISK & “”)

For Each objDisk in colDisks

‘objDisk.FreeSpace

‘Wscript.Echo objDisk.DeviceID

Wscript.Echo objDisk.DeviceID + ” Disk Size (GB): ” + CStr(Round((((objDisk.Size / 1024)/1024)/1024),1))

Wscript.Echo objDisk.DeviceID + ” Free Disk Space (GB): ” + CStr(Round((((objDisk.FreeSpace / 1024)/1024)/1024),2))

Next

Set colDisks = objWMIService.ExecQuery (“Select * from Win32_LogicalDisk Where DriveType = ” & HARD_DISK & “”)

For Each objDisk in colDisks

Wscript.Echo objDisk.DeviceID + ” Disk Size (GB): ” + CStr(Round((((objDisk.Size / 1024)/1024)/1024),1))

Wscript.Echo objDisk.DeviceID + ” Free Disk Space (GB): ” + CStr(Round((((objDisk.FreeSpace / 1024)/1024)/1024),2))

Next

Network Card Information

Retrieves information about the Network Cards configured on the computer, looping through all valid adapters present.

Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & “COMPUTER” & “\root\cimv2″)

Set colAdapters = objWMIService.ExecQuery (“Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE”)

j = 1

For Each objAdapter in colAdapters

Wscript.Echo “===Adapter ” & CStr(j)

If Not IsNull(objAdapter.IPAddress) Then

For i=LBound(objAdapter.IPAddress) to UBound(objAdapter.IPAddress)

Wscript.Echo “IP Address: ” + objAdapter.IPAddress(i)

WScript.Echo “Subnet: ” & objAdapter.IPSubnet(i)

Next

WScript.Echo “Gateway: ” & objAdapter.DefaultIPGateway(0)

For i = 0 To UBound(objAdapter.DNSServerSearchOrder)

WScript.Echo “DNS Server: ” & objAdapter.DNSServerSearchOrder(i)

Next

For i = 0 To UBound(objAdapter.DNSDomainSuffixSearchOrder)

WScript.Echo “DNS suffix list: ” & objAdapter.DNSDomainSuffixSearchOrder(i)

Next

End If

j = j+1

Next

Operating System / up-time Information

Retrieves Information about the host operating system and current service pack, also information on the up-time of the host; be aware that if the regional settings differ the results may appear inaccurate.

Set colOperatingSystems = objWMIService.ExecQuery (“Select * from Win32_OperatingSystem”)

For Each objOS in colOperatingSystems

dtmBootup = objOS.LastBootUpTime

dtmLastBootupTime = WMIDateStringToDate(dtmBootup)

dtmSystemUptime = DateDiff(“n”, dtmLastBootUpTime, Now)

Wscript.Echo “Uptime: ” & CStr(Round((dtmSystemUptime /60) /24)) & ” Day(s)”

Next

For Each objOperatingSystem in colOperatingSystems

Wscript.Echo “OS: ” & objOperatingSystem.Caption & ” ” & objOperatingSystem.Version

Wscript.Echo “Service Pack: ” & objOperatingSystem.ServicePackMajorVersion & “.” & objOperatingSystem.ServicePackMinorVersion

Next

Function WMIDateStringToDate(dtmBootup)

WMIDateStringToDate = CDate(Mid(dtmBootup, 5, 2) & “/” & _

Mid(dtmBootup, 7, 2) & “/” & Left(dtmBootup, 4) _

& ” ” & Mid (dtmBootup, 9, 2) & “:” & _

Mid(dtmBootup, 11, 2) & “:” & Mid(dtmBootup,13, 2))

End Function

Symantec Antivirus Definition Version

This query has been tested on versions 7.x and 9.x. The principle is to connect to the remote file system and read the contents of the file named “definfo.dat” to define the date / version of the definitions loaded on the target computer.

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objFile = objFSO.GetFile(“\\” & “COMPUTER” & “\c$\Program Files\Common Files\Symantec Shared\VirusDefs\definfo.dat”)

If objFSO.FileExists(objFile) Then

Set objDatFile = objFSO.OpenTextFile(objFile, 1)

Do Until objDatFile.AtEndOfStream

strLine = objDatFile.Readline

intCurDefs = InStr(strLine , “CurDefs”)

If intCurDefs > 0 Then

strCurDefs = strLine

strDateDefs = Mid(strCurDefs, 9, 8 )

dtYear = Left(strDateDefs, 4)

dtMonth = Mid(strDateDefs, 5, 2)

dtDay = Right(strDateDefs, 2)

DateVirDefs = dtMonth & “/” & dtDay & “/” & dtYear

dtDefDate = CDate(DatevirDefs)

strRevNumber = Right(strCurDefs, 3)

Wscript.Echo “Definition: ” & dtDefDate & ” ” & strRevNumber

End If

Loop

objDatFile.Close

Else

Wscript.Echo “The file definfo.dat does not exist”

End If

All of the above queries have been rolled up with into once script which also combines an AD query element; this script can be downloaded here

By using a VB scripts we can perform a WMI (Windows Management Instrumentation) connection to a host to execute a query against.

Below is an example of a WMI query connecting to the host named “computer”, once connected will loop around each drive letter which is a hard drive displaying the drive letter and total disk space in GB

On Error Resume Next
Const HARD_DISK = 3

Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & “computer” & “\root\cimv2″)

if Err.Number = 0 then
‘ Add WMI Query Script in here!

Set colDisks = objWMIService.ExecQuery (“Select * from Win32_LogicalDisk Where DriveType = ” & HARD_DISK & “”)
For Each objDisk in colDisks

Wscript.Echo objDisk.DeviceID + ” Disk Size (GB): ” + CStr(Round((((objDisk.Size / 1024)/1024)/1024),1))

Next

else
Wscript.echo “Could not connect to ” & “computer” & ” error ” & Err.Number
End If

Err.Clear

The above WMI query can be combined with an Active Directory query to make the script more versatile (further information is here), an example of this script is below:

On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Const HARD_DISK = 3

Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand =   CreateObject(“ADODB.Command”)
objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = “Select Name from ‘LDAP://OU=MyServers,DC=Domain,DC=co,DC=uk’ ” & “Where objectClass=’computer’”
objCommand.Properties(”Page Size”) = 1000
objCommand.Properties(”Searchscope”) = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
Wscript.Echo “Computer Name: ” & objRecordSet.Fields(“Name”).Value

Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & objRecordSet.Fields(“Name”).Value & “\root\cimv2″)

if Err.Number = 0 then

‘ Add WMI Query Script in here!

else
Wscript.echo “Could not connect to ” & objRecordSet.Fields(“Name”).Value & ” error ” & Err.Number
End If

Err.Clear
objRecordSet.MoveNext
Loop

A number of WMI queries used can be found in the reference page WMI_Queries

Below are a series of tables that show a mapping of Active Directory attributes to there LDAP counter parts

Object class “computer”

Object class “group”

In an Active Directory environment there is often a requirement to query objects within the AD  database, either returning selected attribute values or using this information to for further queries.

The same principles apply across any object type, the script below connects via LDAP, performs a query and returns selected values from Active Directory.

The below script will query all objects in the OU MyServers and subtree, in the domain Domain.co.uk, of type computer, returning the attributes Name and Location.

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject(”ADODB.Connection”)
Set objCommand = CreateObject(”ADODB.Command”)
objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = “Select Name, Location from ‘LDAP://OU=MyServers,DC=Domain,DC=co,DC=uk’ ” & “Where objectClass=’computer’”
objCommand.Properties(”Page Size”) = 1000
objCommand.Properties(”Searchscope”) = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF

‘ Insert Operators here
objRecordSet.MoveNext

Loop

Once the query has been run the results can then be used for any requirement, a simple example below is to display  the name of the computer followed by the Location attribute stored in AD.

……
Do Until objRecordSet.EOF

‘ Insert Operators here
Wscript.Echo “Computer Name: ” & objRecordSet.Fields(”Name”).Value
Wscript.Echo “Location: ” & objRecordSet.Fields(”Location”).Value

objRecordSet.MoveNext
Loop

Any attribute of the object can be displayed as long as it was requested in the initial query; Select Name, Location from…. , attribute names are LDAP attributes rather than field names seen in the Active Directory Users and Computers mmc. A list of attributes can be found here; Active Directory LDAP Attributes

One way to enhance this script further is for each computer selected perform a WMI query against it; VB WMI Query

There are a number of ways to query the Active Directory database to export objects and there attributes. One of the most common groups of tools are provided by Microsoft; dsget and dsquery.

Query Group Members

To display the member of a specific group use the dsget group command

dsget group “CN=My Group,OU=Domain Groups,DC=Domain,DC=co,DC=uk” -members

The above command will list the UPN of the users in My Group, if more information is required from each of the users within My Group the output can be piped into another dsget command

To display the member of a specific group use the dsget group command

dsget group “CN=My Group,OU=Domain Groups,DC=Domain,DC=co,DC=uk” -members | dsget user -upn -display -disabled -acctexpires

This commnd above will list the users in the group My Group with there UPN, display name, if the account is disabled and when the account expires.

There is a lot of information that Active Directory stores in its database that is not necessarily available through common tools such as Active Directory Users and Computers MMC.

With the Active Directory Users and Computers MMC installed, and by using part of Microsoft’s Account Lockout and Management Tool, extra user account information can be made accessible, this includes:

• Password last set time
• Password expiry time
• SID and GUID
• Last Logon \ Logoff \ Bad Password time
• Logon \ Bad Password count

NB: The last logon and logoff attributes within a Windows 2000 domain are not replicated between domain controllers… therefore not accurate. However this has been fixed with AD 2003 by adding another attribute into the schema called lastLogonTimestamp which is replicated.

The first step is to get the acctinfo.dll available from the above tool or here.

Next, copy the file to C:\WINDOWS\SYSTEM32 then run the command

regsvr32 C:\WINDOWS\SYSTEM32\acctinfo.dll

This will register the dll, when opening the Users and Computers console you will notice another tab called Additional Account Info. This is where the extra information is displayed.